IE Attacks Circulate as Microsoft Updates Advisory

In the face of ongoing attacks, Microsoft updates its security advisory for an Internet Explorer vulnerability a day after a security researcher published exploit code for the vulnerability on the Internet.

Ongoing attacks targeting a new zero-day bug
in Internet Explorer and the presence of exploit code on the Web prompted
Microsoft March 12 to update
its advisory.
According to Microsoft, the
IE vulnerability in question is due to an invalid pointer reference being
used within IE. It is only known to affect IE 6 and 7. To address the issue,
the company has made a handful of workarounds available and updated
the advisory today to add a Microsoft Fix It that
automates a workaround for Windows XP and Windows Server 2003 users.

Other workarounds include reconfiguring
Internet Zone settings to High and modifying the access control list on
iepeers.dll. Instructions for how to do both things are contained within the
Microsoft advisory.

Since Microsoft published the advisory March
9, exploit
code for the IE flaw has gone public, triggering some concern that
there will be a rise in attacks in the days ahead as users wait for
a patch.
"Observed attacks against this
vulnerability continue to be limited and targeted; however, with the recent
release of publicly available exploit code Symantec expects this vulnerability,
like most other recent browser and plug-in vulnerabilities, to be added to
attack kits and ongoing criminal campaigns in the near future," said Ben
Greenbaum, security intelligence manager for Symantec Security Response.
Meanwhile, researchers at Sophos
are tracking a spam campaign pushing out exploits for the IE vulnerability. According
to Sophos, attackers were observed this week using malicious links in e-mails
to lead users to malicious sites that unload the exploit onto their computers.

"Messages used at least two social
engineering tricks to lure victims into clicking the malicious link: the tried
and tested 'delivery failed, please confirm address details' messages [and a]
request for details confirmation for [an] insurance quote," blogged Fraser
Howard, principal researcher with SophosLabs.
Though his colleague Sophos Senior Security Advisor
Chester Wisniewski said the spam campaign is relatively limited, he noted that there
was a concern that the exploits will continue to get more refined as users
await a patch. Already, he said, the exploit Howard blogged about included a
downloader that can retrieve other malicious payloads to infect the user.
"What is more worrying is that this
could be similar to the pattern we saw with threats like Conficker," Wisniewski said. "Initially there were a
few zero-day exploits against MS08-067, but none were overly successful. This
prompted MS to release out of band in Oct 08, yet Conficker didn't come out
until November. The Conficker guys perfected the clumsy early attacks and
refined them into a very nasty machine."
Jerry Bryant, senior security communications
manager lead at Microsoft, blogged that the company is in the process of
testing an update that addresses the issue. He did not say definitively whether
Microsoft would issue an out-of-band update to patch the problem.
In the meantime, Howard suggested users "take
a hint" and upgrade to IE 8, the most current version of the browser.
"Aside from not being affected [by]
this particular [problem], there are a whole bundle of other security-related
features you are missing out on otherwise," he blogged.